Seashail

Wallets And Key Storage

Generated vs imported wallets, passphrases, and recovery shares.

Seashail is designed so the agent process never receives key material.

Wallet Types

Generated Wallets

Generated wallets are created inside Seashail and protected using Shamir Secret Sharing (2-of-3):

  • Share 1: encrypted with a machine secret stored in config_dir
  • Share 2: encrypted with a key derived from your passphrase
  • Share 3: shown once as an offline backup and also stored encrypted for explicit export/rotation

Normal operation reconstructs from shares 1 + 2, signs, then zeroes key material from memory.

Imported Wallets

Imported keys/mnemonics are encrypted at rest using AES-256-GCM with a key derived from your passphrase (Argon2id + HKDF subkeys).

Passphrase Session

To make automation practical, Seashail caches a passphrase-derived key in memory for a configurable window (passphrase_session_seconds).

Headless/unattended environments can opt in to providing the passphrase via environment variable:

  • SEASHAIL_PASSPHRASE

This is lower security by design (plaintext outside Seashail’s control). Use only if you understand the tradeoff.

  • create_wallet, import_wallet, add_account, set_active_wallet
  • export_shares, rotate_shares

Network Mode (Mainnet/Testnet)

How Seashail switches defaults between mainnet and testnet, and what it does (and does not) enforce.

Policy And Approvals

Set spending caps, allowlists, and when user confirmation is required.

On this page

Wallet TypesGenerated WalletsImported WalletsPassphrase SessionRelated Tools